IBM Solutions for Securing the Cloud

People and Identity:
Businesses need to make sure people across their organization and supply chain have access to the data and tools that they need, when they need it, while blocking those who do not need or should not have access. In cloud environments, where the number of users is extended, these controls become even more critical. IBM offers the following to assist

Tivoli’s Identity and Access Assurance solution offers access management and single sign-on solutions to address the difficulty of executing security policies across a wide range of Web and application resources. When deployed in cloud environments, these solutions provide validation and processing of user identity information and address the need for authentication of users to the cloud ecosphere.

For cloud identity federation, Tivoli’s Federated Identity Manager offers a single access method for users into cloud and traditional applications. It enables trust between SOA-based initiatives by connecting users to services across business domains and helps enterprises strengthen and automate user access rights. Cloud computing infrastructures involve enormous pools of external users constantly logging in to leverage shared IT services and this product’s authentication management features can help deliver significant business value.

An additional user-oriented concern with the adoption of virtualization technologies is that of addressing system challenges surrounding controlling privileged users or "root" accounts. Many security breaches and audit failures in UNIX/Linux environments are from lack of oversight and control of these privileged accounts. IBM Tivoli Access Manager for Operating Systems is a policy-based access control system for UNIX/Linux operating systems. It can help protect individual application, network, data, and operating system resources, enforce security policies consistently on heterogeneous systems across the enterprise with a single security model, prevent unauthorized access, monitor sensitive access and centralize auditing for compliance.

Information and Data:
Organizations need to support widespread electronic collaboration, while protecting their critical data — whether it’s in transit or at rest. They want to understand where their critical data lives and have methodologies in place to manage all of the processes associated with classifying, prioritizing and protecting data.

A cloud infrastructure, offers extraordinary flexibility and efficiency, but it forces you to re-think data security. It used to be that you could protect your data with a perimeter, but now you have to secure that data wherever it resides and when it’s in motion. Businesses are looking for comprehensive capabilities for monitoring, access management and encryption that can be integrated to help address information security across the enterprise.

To assist, IBM offers data and information security solutions deliver comprehensive capabilities for data protection and access management that can be integrated to help address information lifecycle security across the enterprise with:
  • Data discovery and classification to identity sensitive mission critical information
  • Data encryption and key management
  • Data privacy solutions
  • Executable access protection policy management
  • Messaging security and data loss prevention
  • Secure storage and archiving for data retention
  • Services to assess, protect, monitor and manage information
For data segregation issues, and managing shared data resources within a multi-tenant environment, IBM’s Systems, Storage, and Network Segmentation Solutions offer application isolation, OS containers, encrypted storage, VLANs and other isolation technologies for a secure multi-tenant infrastructure. Designed to be shared by thousands of users, the IBM server has security built into nearly every level of the computer - from the processor to the OS to the application level.

Tivoli’s Key Lifecycle Manager, IBM’s self-encrypting storage devices, IBM Data Encryption for IMS and DB2 Databases, and IBM Database Encryption Expert enable encryption of data so that it is possible to have data in the cloud, but be able to control who can access it. Tivoli Key Lifecycle Manager has strong end to end authentication and encrypts the key material as well. So in addition to encrypting the whole channel, you can encrypt the keys themselves. IBM Data Encryption for IMS and DB2 Databases provides proven technologies to encrypt IMS and DB2 Databases. IBM Database Encryption Expert can protect sensitive information in both online and offline environments and has centralized policy and key management to simplify data security management.

To address backup and recovery of data stored remotely in the cloud IBM Information Protection Services provide data protection for business continuity and resiliency. IBM’s BCRS Information Protection Services is a fully managed, utility based service based on usage - designed as multi-tenant, public cloud, with over 3,400 customers under management. It automatically backs up data to security-rich IBM data centers via your existing network.

Process and Application:
Enterprises need to preemptively and proactively protect their business-critical applications and processes from external and internal threats throughout their entire life cycle — from design to implementation and production. But the applications that meet these demands must also be adaptable to constantly changing market demands. Increasingly the choice is to use Web-based applications for these new services. Businesses must focus on the security of these applications in order to protect themselves from potential exposure of confidential information and damage to the systems. Threats that are more than inconveniences, but can put the entire business at risk. Protection from these threats must be taken into account holistically – through the lifecycle of applications – from development to deployment to ongoing management and end-of-life consideration.

For external or internal testing of cloud applications and their hosted infrastructure, IBM offers Rational AppScan, Rational Policy Tester and ISS Vulnerability Assessment Services. These products help companies ensure the Web services they publish into the cloud are secure, compliant and meet their business policies.

Rational AppScan provides automated Web application scanning and testing for all common Web application vulnerabilities, including WASC threat classification - such as SQL-Injection, Cross-Site Scripting, and Buffer Overflow - and intelligent fix recommendations to ease remediation Rational Policy Tester helps ensure site privacy by scanning web content and producing actionable reports to identify issues that may impact compliance. ISS Professional Security Services performs automated scans to identify OSes, applications, and their respective vulnerabilities.

IBM Optim Data Privacy Solutions de-identify confidential information to protect privacy and support compliance initiatives by applying a range of masking and fictionalized substitution techniques to transform personally-identifying information and other confidential corporate data. Optim Test Data Management Solutions improve all levels of application testing and upgrades by aligning application data management with business objectives to help optimize performance, mitigate risk, and control costs while delivering capabilities that scale across enterprise applications, databases and platforms.

Organizations also need the ability to inspect and audit a cloud provider’s logs and records. In order to improve the speed of conducting security investigation and archive forensically-sound data that is admissible as evidence in a court of law, IBM offers its IBM Tivoli Security Information and Event Manager and IBM ISS Security Event and Log Management Service. The service enables corporations to compile event and log files from network applications and operating systems, as well as security technologies, into one seamless platform.

"“The Virtual Intrusion Network Protection from IBM fits right into our cloud computing strategy and will be a great opportunity for our clients that wish to significantly improve the security of their environments.”
– Pat O’Day, CTO, Bluelock


Network, Server and Endpoint:
Proactive threat and vulnerability monitoring and management of an organization’s network, server and end points are critical to staying ahead of emerging threats that can adversely affect system components and the people and business processes they support. An end to end, defense-in-depth approach for the cloud is critical so that organizations can benefit from security economies of scale – delivering security to many services in a highly cost effective manner – protecting against the known threats, but also guarding against as yet unknown threats.

A critical underlying technology for any cloud environment is virtualization. In today’s virtual data center, organizations need security of the virtualization stack that enables flexible, rapid provisioning across heterogeneous servers and hypervisors. IBM offers the industry’s broadest set of virtualization capabilities via its IBM Systems Group and its ISS Virtualization Security solutions.

The Proventia Virtualized Network Security Platform is an extensible virtual security platform that consolidates security applications like intrusion prevention, Web application protection and network policy enforcement into a single solution. With Proventia Virtualized Security Platform, clients can take advantage of unprecedented scale to apply the benefits of virtualization to deliver X-Force powered network protection for virtual network segments, a key element for delivering secure cloud-based services. Relying on over 40 years of heritage and attention to security, IBM virtualization platforms are built with security, not as an afterthought, but as a requirement. ISS Proventia Server stops threats inside Virtual Machines.

Physical Infrastructure:
Protecting an organization’s infrastructure means ensuring that its physical assets are also protected from security threats. Effective physical security requires a centralized management system that allows the monitoring of property, employees, customers and the general public.

To address the restoration and availability of cloud computing resources, IBM will offer BCRS Resilient Cloud Validation Program in mid 2009 for cloud service providers. By using proven BCRS resiliency consulting methodology, combined with our traditional shared and dedicated asset business and resiliency managed services, IBM is positioning to be the premier resiliency provider to Cloud service providers.

For data location concerns, IBM offers organizations the ability to process data in specific jurisdictions according to local requirements. IBM’s High Performance On Demand Solutions (HiPODS) team can create a project team anywhere in the world in minutes, assign servers and storage for a project in less than an hour, and dynamically install software components.

Source: IBM
Home Prev Next

Dynamic Infrastructure is published by IBM. Editorial supplied by IBM is independent of Gartner analysis. All Gartner research is © 2009 by Gartner, Inc. and/or its Affiliates. All rights reserved. All Gartner materials are used with Gartner's permission and in no way does the use or publication of Gartner research indicate Gartner's endorsement of IBM's products and/or strategies. Reproduction and distribution of this publication in any form without prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The reader assumes sole responsibility for the selection of these materials to achieve its intended results. The opinions expressed herein are subject to change without notice.